Cybersecurity and data protection are becoming imperatives for Long Island businesses as government regulations tighten and hackers work 9-to-5 shifts like run-of-the-mill office workers, experts said Thursday.

Mark J. Viola, global chief information security officer for Melville-based Henry Schein Inc., said the distributor of products to the offices of dentists, physicians and veterinarians, had a "significant number" of phishing incidents, where bogus emails sought to pry sensitive information from the company's 22,000 employees.

Since the company, with operations in 34 countries, rolled out "multifactor authentication" worldwide two years ago, the frequency of successful phishing attacks has been brought down to "near zero," he said.

James. M. Black from Silverman Acampora LLP speaks to attendees about the European Union's recently announced General Data Privacy Regulation (GDPR) during a cyber security conference at NYIT's Deseversky mansion in Old Westbury, Nov. 15, 2018. Photo Credit: Johnny Milano

Multifactor authentication employs two or more methods to verify a person's identity, such as a password and a fingerprint, a facial scan or a code sent to a trusted mobile phone.

Viola delivered the keynote address Thursday at a seminar at New York Institute of Technology's Old Westbury campus on data protection and privacy laws. The event was hosted by the Commerce Department's U.S. Commercial Service and NYIT's College of Engineering and Computing Sciences.

Moderator Michael Nizich, director of the Entrepreneurship and Technology Innovation Center at NYIT, warned of a yawning gap between computer science graduates and the number of cyber defenders needed in the United States.

He said that in some places around the world, hacking is becoming institutionalized.

"These attackers are working in offices," he said. "They're working 9 to 5."

Another speaker, James M. Black, partner at Jericho-based law firm Silverman Acampora LLP, said companies will need to negotiate an increasingly complex web of data privacy regulations and laws.

The European Union's General Data Protection Regulation looms large for companies. The GDPR, which took effect in May, applies to organizations with operations within the EU or offering goods and services within the 28-country union.

Unlike the United States, where users often have to opt out of data collection and sharing from providers of services like social networks, Black said in the EU "everything is opt in," meaning users have to explicitly agree to such practices.

The EU rules, which give consumers rights to verify records and "be forgotten," are far more stringent than those in the United States, Black said.

Penalties for failing to comply can be 20 million euros ($22.7 million) or 4 percent of annual global revenue.

"You could wipe out an entire annual profit," he said.

Black said the United States has a patchwork of relatively weak privacy rules and action on the federal level is urgently needed.

"The feds have to act," he said. "It's a decade overdue to have a privacy law similar to GDPR."